Symptoms

On a computer that is running Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2, you uninstall McAfee Agent 4.6.2 and restart the the computer. The computer crashes during the startup process. Additionally, you receive a Stop Error message that is similar to one of the following:

Note The four parameters in the Stop error message may vary, depending on the configuration of the computer.

Consider the following two scenarios for the two different stop errors.

Scenario 1: STOP 0XC000021A STATUS_SYSTEM_PROCESS_TERMINATEDA Windows Update package containing an update for Win32k.sys was installed. Then McAfee agent was removed using FrmInst.exe /FORCEUNINSTALL command and then system was rebooted.

Scenario 2: STOP 0x0000006B PROCESS1_INITIALIZATION_FAILED Microsoft Security update or a hotfix is installed on the system. After few minutes McAfee Agent is removed using FrmInst.exe /FORCEUNINSTALL command, while BootCat.cache is being rebuilt and then system was rebooted.

Cause

This problem occurs due to unexpected behavior from McAfee Agent uninstaller. The uninstaller renames the folder {F750E6C3-38EE-11D1-85E5-00C04FC295EE} to tmpxxxx.tmp.

Note: The folder {F750E6C3-38EE-11D1-85E5-00C04FC295EE} is located under C:\Windows\System32\Catroot\ and contains the catalog files.

Resolution

More information

Code Integrity component of Microsoft, validate the digital signature of each driver when an attempt is made to load it in the memory. The system references the C:\Windows\System32\CodeIntegrity\BootCat.cache file. If it does not find the hash for the driver being loaded in that file then it looks under C:\Windows\System32\Catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder. BootCat.cache gets updated after a few minutes after a patch is installed. If the BootCat.cache file is not found, then after the system boots up it may take around 10-15 minutes to re-create a new BootCat.cache file. In both the cases BootCat.cache is built using the catalog files contained in the C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder.

Scenario 1 described in Symtoms section, BootCat.cache do not have the updated hash for the new Win32k.sys binary and the C:\Windows\System32\Catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} is renamed to C:\Windows\System32\Catroot\tmpXXXX.tmp, in this case, Win32k.sys cannot be validated as the catalog file cannot be accessed.

In Scenario 2 described in Symtoms section, while the BootCat.cache was getting updated, McAfee Agent was removed. This results in renaming of C:\Windows\System32\Catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder and now the BootCat.cache cannot be built properly because the source catalog information cannot be accessed.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.